What can hackers do with your email address?

by

This blog post will answer the question, “What can hackers do with your email address?” and cover topics like how your email address can be used for gathering privileged information or just for the purpose of causing reputational damage.

What can hackers do with your email address?

In the hands of a skilled hacker, an email address can be quite a valuable commodity. Acquiring a strategically assigned email address can have the following benefits for a hacker:

  • Selling the information (email address) to other hackers
  • Access to more contacts and potential victims
  • Acquiring insider – and privileged information
  • Credential theft and possible access to other accounts and systems
  • Establish a base of operation and foothold from your account by assuming your identity
  • Wreak havoc on your personal –, professional – and financial life
  • Identify more prominent targets and plan larger campaigns

A carefully crafted email can open doors to career prospects, convey messages to loved ones, deliver files, and communicate confidential information in the blink of an eye. However, in an age where information is currency and knowledge is power, most hackers will not hesitate in making attempts to access this potential treasure trove.

How do hackers use a compromised email account?

If we are perfectly honest with ourselves, we will acknowledge that we embraced email technology without much thought or hesitation, since it was comparably faster than a written letter (snail- mail), but we were a lot slower in applying the necessary safety measures to keep our emails secure.

To this day, we struggle to accept the responsibilities of the contents of our emails and email accounts or apply the necessary measures to maintain the appropriate level of effort that is required by modern cyber security processes or online security practices. 

Hackers are humans too, so they know this and seek to exploit this weakness as much as they possibly can.

Selling the information (email address) to other hackers

In the past, before we had laws and regulations such as GDPR and POPIA, it used to be common practice for some companies to sell or share contact information to other companies, like call centers, to be used to generate potential leads, future sales and a profit. In much the same way, hackers make a profit based on this tried and tested method. Modern hackers view their operations as a business and will often sell their services and information acquired to the highest bidder.

So, if a potential client of theirs can benefit from acquiring your email account, the hacker will be willing to find, access and sell it to them.

Access to more contacts and potential victims

Like we mentioned before, modern hackers view themselves as entrepreneurs and often function like a business would: by acquiring leads and acting on or selling it for a profit or to use in a future campaign. A compromised email account can lead to a compromised digital contact list and an abundance of potential victims that can be exploited for profit or used in their future endeavors.

Acquiring privileged and sensitive information

Email is used to disseminate and communicate all types of information including employment contracts, utility bills, debtor and creditor information, communications from your child’s school, love letters etc. Except for the concern of what unsavory things can happen if a cybercriminal chooses to delve into these factors of your personal life, it can also be used for social engineering attacks. 

Credential theft and possible access to other accounts and systems

Many people opt to use their email addresses as the username for other accounts. When we are locked out of those accounts, we can request that an OTP (One Time Pin) be sent to our mobile phone numbers or an email account. Some sites still send an automated link that allows us to update the account with a new password immediately. 

This method can be used by an attacker to gain and maintain access to other accounts that we own. It is also possible for the hacker to see credentials that are emailed to us, for example, IT administrators that do not use best practices when resetting accounts to systems on your behalf.

Once an attacker knows your possible password and credential combinations, they know that they likely have access to multiple systems as well, since we are prone to reuse passwords and not change them regularly across multiple access points. 

What we do in habit tends to continue at work as well as at home, so you are likely to use similar character patterns when generating your personal passwords than what you use for business and systems accounts. 

Establish a base of operation and foothold by assuming your identity – Furthering their agenda

Most of the time we confirm the validity of an email by looking at the email address. This also applies to email management systems, software and email security devices that aim to protect us against email attacks and fraudulent activities related to email. If your work email has higher privileges than others or you are privy to or have regular communication with key personnel like the CEO (and in some cases their schedules and email accounts), a hacker posing as you, can establish a very convenient foothold within your organization and infiltrate more accounts. By making use of this method, hackers can eavesdrop and intercept communication and respond on your behalf or craft malicious emails to deliver malware, ransomware or steal information. If any potentially malicious activities, like the exfiltration of sensitive data, takes place and the activity is detected by the security controls within the company, then it will implicate you because your account would be the likely origin.

Hackers are very efficient in staying anonymous and, in contradiction to their trade, do not want their identities known. Making use of your account and identity makes it easier for them to operate in secrecy without risking exposure or being identified.

Wreak havoc on your personal -, professional – and financial life

It is safe to assume that a hacker will only have bad intentions when gaining access to any of your accounts. The same goes for any predator when it has its sights on a potential prey.

A hacker with access to your email accounts can send inflammatory emails to all your contacts, and respond to previous correspondence or notifications on your behalf.

They will also be able to read previous correspondence that you thought were private and confidential, this may include love letters and correspondence that is very sensitive in nature.

Imagine an online affair that may or may not have ended, that you do not wish to disclose at this time or an email you sent to a trusted friend where you ranted about your manager or your current employment. A Hacker can decide to use this information as leverage for extortion, share it with others on your contacts list, or just simply make it public by posting it online.

A truly creative and vindictive hacker can make use of your account and identity to create another account to a site that you would not normally join due to your affiliations, religion, career, or moral values and then share this activity with others you may know. 

It is also a strong probability that your compromised email account can be used for future hacking campaigns and illegal activity, which can land you in hot water. 

Since the hacker will be using your email account and identity, it will be very difficult to prove that you are not the person involved in the questionable activities and this can completely derail your life.

Identify more prominent targets and plan larger campaigns

With your email address at their disposal, hackers can be creative in crafting targeted attacks aimed at the contacts contained within your contacts list, especially if they are high valued targets such as business executives.

A hacker can use the composition of your email address and guess the email addresses of other employees within your company and use those in spear phishing campaigns, to deliver malware or gather more information on another potential target.

Since a skilled and motivated hacker will not be satisfied with just the email address, they will likely ensure that they have access to the account as well. This will allow them to read the contents of personal and privileged correspondence and use the information to design and plan larger attacks or social engineering campaigns

Conclusion

Hackers can be very resourceful and will attempt to use your email address to access your accounts, create new accounts, gather information on other potential targets, cause irreparable harm to your reputation or sell the email account to other groups affiliated with them.

  • Be mindful of the contents of your email messages and who you send it to.
  • Avoid sending or saving emails containing passwords in clear text.
  • Do not click on links or URLs within an email if the source or sender of that email is not known to you or you are not expecting the email. The same goes for attachments.
  • Never use the same passwords for multiple accounts and change your passwords regularly (at least every three months). A good practice or habit is to make use of additional layers of security such as 2FA (Two factor Authentication) where possible, encryption tools or complex password generators.
  • Be a good cyber citizen. Notify your contacts and stakeholders as soon as you realize there may have been a security bridge and you suspect that your email account has been accessed by an intruder. 
  • Ensure that your mobile or any other devices that are being used to access and send your emails are secure and are applying the same high standards of email security.
  • Report suspicious emails to the appropriate security professionals within your company as soon as possible. Most modern organizations are equipped with a support service that deals with cyber threats and should be contacted as soon as the concern arises.

Leave a Comment